diff --git a/advisories/unreviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json b/advisories/github-reviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json similarity index 53% rename from advisories/unreviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json rename to advisories/github-reviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json index 04442f631d1c6..baab3d42a01f4 100644 --- a/advisories/unreviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json +++ b/advisories/github-reviewed/2024/12/GHSA-22c5-cpvr-cfvq/GHSA-22c5-cpvr-cfvq.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-22c5-cpvr-cfvq", - "modified": "2024-12-12T09:31:36Z", + "modified": "2024-12-12T19:20:14Z", "published": "2024-12-12T09:31:36Z", "aliases": [ "CVE-2024-4109" ], + "summary": "undertow: information leakage via HTTP/2 request header reuse", "details": "A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.", "severity": [ { @@ -13,7 +14,27 @@ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.undertow:undertow-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.3.18.Final" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", @@ -26,6 +47,14 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272325" + }, + { + "type": "PACKAGE", + "url": "https://github.com/undertow-io/undertow" + }, + { + "type": "WEB", + "url": "https://github.com/undertow-io/undertow/blob/6ae61c6af88d2a8341922ccd0de98926e8349543/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java#L250-L259" } ], "database_specific": { @@ -33,8 +62,8 @@ "CWE-200" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:20:14Z", "nvd_published_at": "2024-12-12T09:15:06Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-25w9-wqfq-gwqx/GHSA-25w9-wqfq-gwqx.json b/advisories/github-reviewed/2024/12/GHSA-25w9-wqfq-gwqx/GHSA-25w9-wqfq-gwqx.json index 3c1ba4fad19c9..ad1a734b8c388 100644 --- a/advisories/github-reviewed/2024/12/GHSA-25w9-wqfq-gwqx/GHSA-25w9-wqfq-gwqx.json +++ b/advisories/github-reviewed/2024/12/GHSA-25w9-wqfq-gwqx/GHSA-25w9-wqfq-gwqx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-25w9-wqfq-gwqx", - "modified": "2024-12-12T17:42:34Z", + "modified": "2024-12-12T19:19:39Z", "published": "2024-12-11T18:44:50Z", "aliases": [ "CVE-2024-55658" @@ -51,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/siyuan-note/siyuan" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3323" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json b/advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json new file mode 100644 index 0000000000000..e428307c6678d --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json @@ -0,0 +1,103 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2r87-74cx-2p7c", + "modified": "2024-12-12T19:21:06Z", + "published": "2024-12-12T19:21:06Z", + "aliases": [ + "CVE-2024-55877" + ], + "summary": "XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList", + "details": "### Impact\nAny user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set \"Macro Id\", \"Macro Name\" and \"Macro Code\" to any value, \"Macro Visibility\" to `Current User` and \"Macro Description\" to `{{async}}{{groovy}}println(\"Hello from User macro!\"){{/groovy}}{{/async}}`.\nSave the page, then go to `/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`.\nIf the description of your new macro reads \"Hello from User macro!\", then your instance is vulnerable.\n\n### Patches\nThis vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0.\n\n### Workarounds\nIt is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22030\n* https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.xwiki.platform:xwiki-platform-help-ui" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.7-rc-1" + }, + { + "fixed": "15.10.11" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.xwiki.platform:xwiki-platform-help-ui" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "16.0.0-rc-1" + }, + { + "fixed": "16.4.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.xwiki.platform:xwiki-platform-help-ui" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "16.5.0-rc-1" + }, + { + "fixed": "16.5.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c" + }, + { + "type": "WEB", + "url": "https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3" + }, + { + "type": "PACKAGE", + "url": "https://github.com/xwiki/xwiki-platform" + }, + { + "type": "WEB", + "url": "https://jira.xwiki.org/browse/XWIKI-22030" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-96" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:21:06Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-4pjc-pwgq-q9jp/GHSA-4pjc-pwgq-q9jp.json b/advisories/github-reviewed/2024/12/GHSA-4pjc-pwgq-q9jp/GHSA-4pjc-pwgq-q9jp.json index fa492bfa3abff..0898d739879f6 100644 --- a/advisories/github-reviewed/2024/12/GHSA-4pjc-pwgq-q9jp/GHSA-4pjc-pwgq-q9jp.json +++ b/advisories/github-reviewed/2024/12/GHSA-4pjc-pwgq-q9jp/GHSA-4pjc-pwgq-q9jp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4pjc-pwgq-q9jp", - "modified": "2024-12-12T17:42:57Z", + "modified": "2024-12-12T19:20:33Z", "published": "2024-12-11T18:44:47Z", "aliases": [ "CVE-2024-55660" @@ -51,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/siyuan-note/siyuan" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3324" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json b/advisories/github-reviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json new file mode 100644 index 0000000000000..43ba7cf2363f6 --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-75mx-hw5q-pvx3", + "modified": "2024-12-12T19:19:33Z", + "published": "2024-12-12T03:33:05Z", + "aliases": [ + "CVE-2024-55587" + ], + "summary": "python-libarchive directory traversal", + "details": "python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "python-libarchive" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "4.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55587" + }, + { + "type": "WEB", + "url": "https://github.com/smartfile/python-libarchive/issues/42" + }, + { + "type": "WEB", + "url": "https://github.com/smartfile/python-libarchive/pull/41" + }, + { + "type": "PACKAGE", + "url": "https://github.com/smartfile/python-libarchive" + }, + { + "type": "WEB", + "url": "https://github.com/smartfile/python-libarchive/blob/c7677411bfc4ab5701d343bc6ebd9e35c990e80e/libarchive/zip.py#L107" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:19:33Z", + "nvd_published_at": "2024-12-12T02:08:22Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-7prj-hgx4-2xc3/GHSA-7prj-hgx4-2xc3.json b/advisories/github-reviewed/2024/12/GHSA-7prj-hgx4-2xc3/GHSA-7prj-hgx4-2xc3.json new file mode 100644 index 0000000000000..6c407936195c2 --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-7prj-hgx4-2xc3/GHSA-7prj-hgx4-2xc3.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7prj-hgx4-2xc3", + "modified": "2024-12-12T19:20:26Z", + "published": "2024-12-12T19:20:26Z", + "aliases": [], + "summary": "Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy", + "details": "A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.\n\nImpact:\nThe specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.\n\nResolution:\nThe issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.\n\nFixed Version:\n* `golang.org/x/crypto` upgraded to version 0.31.0.", + "severity": [], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/ryanbekhen/nanoproxy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/ryanbekhen/nanoproxy/security/advisories/GHSA-7prj-hgx4-2xc3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ryanbekhen/nanoproxy" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1395", + "CWE-285" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:20:26Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json b/advisories/github-reviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json new file mode 100644 index 0000000000000..3629f6682d235 --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cxrx-q234-m22m", + "modified": "2024-12-12T19:19:40Z", + "published": "2024-12-12T09:31:35Z", + "aliases": [ + "CVE-2024-12397" + ], + "summary": "io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling", + "details": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "io.quarkus.http:quarkus-http-core" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.3.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12397" + }, + { + "type": "WEB", + "url": "https://github.com/quarkusio/quarkus-http/pull/170" + }, + { + "type": "WEB", + "url": "https://github.com/quarkusio/quarkus-http/commit/cfc99d80fce2e3a3dbf06972e648e79e925a7ae7" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-12397" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298" + }, + { + "type": "PACKAGE", + "url": "https://github.com/quarkusio/quarkus-http" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:19:40Z", + "nvd_published_at": "2024-12-12T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-fqj6-whhx-47p7/GHSA-fqj6-whhx-47p7.json b/advisories/github-reviewed/2024/12/GHSA-fqj6-whhx-47p7/GHSA-fqj6-whhx-47p7.json index b563fb8bf60b3..7e51d7182d431 100644 --- a/advisories/github-reviewed/2024/12/GHSA-fqj6-whhx-47p7/GHSA-fqj6-whhx-47p7.json +++ b/advisories/github-reviewed/2024/12/GHSA-fqj6-whhx-47p7/GHSA-fqj6-whhx-47p7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fqj6-whhx-47p7", - "modified": "2024-12-12T17:42:49Z", + "modified": "2024-12-12T19:20:10Z", "published": "2024-12-11T18:44:49Z", "aliases": [ "CVE-2024-55659" @@ -51,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/siyuan-note/siyuan" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3326" } ], "database_specific": { diff --git a/advisories/github-reviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json b/advisories/github-reviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json new file mode 100644 index 0000000000000..43135130ab92c --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json @@ -0,0 +1,128 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ghw8-3xqw-hhcj", + "modified": "2024-12-12T19:19:49Z", + "published": "2024-12-12T09:31:36Z", + "withdrawn": "2024-12-12T19:19:49Z", + "aliases": [ + "CVE-2024-12401" + ], + "summary": "Duplicate Advisory: cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs", + "details": "# Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-r4pg-vg54-wxx4. This link is maintained to preserve external references.\n\n# Original Description\n\nA flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/cert-manager/cert-manager" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.14" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/cert-manager/cert-manager" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.13.0-alpha.0" + }, + { + "fixed": "1.15.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/cert-manager/cert-manager" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.16.0-alpha.0" + }, + { + "fixed": "1.16.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12401" + }, + { + "type": "WEB", + "url": "https://github.com/cert-manager/cert-manager/pull/7400" + }, + { + "type": "WEB", + "url": "https://github.com/cert-manager/cert-manager/pull/7401" + }, + { + "type": "WEB", + "url": "https://github.com/cert-manager/cert-manager/pull/7402" + }, + { + "type": "WEB", + "url": "https://github.com/cert-manager/cert-manager/pull/7403" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2024-12401" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327929" + }, + { + "type": "PACKAGE", + "url": "https://github.com/cert-manager/cert-manager" + }, + { + "type": "WEB", + "url": "https://go.dev/issue/50116" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:19:49Z", + "nvd_published_at": "2024-12-12T09:15:05Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-r279-47wg-chpr/GHSA-r279-47wg-chpr.json b/advisories/github-reviewed/2024/12/GHSA-r279-47wg-chpr/GHSA-r279-47wg-chpr.json new file mode 100644 index 0000000000000..862c491884702 --- /dev/null +++ b/advisories/github-reviewed/2024/12/GHSA-r279-47wg-chpr/GHSA-r279-47wg-chpr.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r279-47wg-chpr", + "modified": "2024-12-12T19:20:56Z", + "published": "2024-12-12T19:20:56Z", + "aliases": [ + "CVE-2024-55879" + ], + "summary": "XWiki allows RCE from script right in configurable sections", + "details": "### Impact\nAny user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on a instance, as a user with script rights, edit your user profile and add an object of type `XWiki.ConfigurableClass` (\"Custom configurable sections\").\nSet \"Display in section\" and \"Display in category\" to `other`, \"Scope\" to `Wiki and all spaces` and \"Heading\" to:\n```\n#set($codeToExecute = 'Test') #set($codeToExecuteResult = '{{async}}{{groovy}}services.logging.getLogger(\"attacker\").error(\"Attack from Heading succeeded!\"){{/groovy}}{{/async}}')\n```\nSave the page and view it, then add `?sheet=XWiki.AdminSheet&viewer=content§ion=other` to the URL.\nIf the logs contain \"attacker - Attack from Heading succeeded!\", then the instance is vulnerable.\n\n### Patches\nThis has been patched in XWiki 15.10.9 and 16.3.0.\n\n### Workarounds\nWe're not aware of any workaround except upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21207\n* https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.xwiki.platform:xwiki-platform-administration-ui" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3" + }, + { + "fixed": "15.10.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.xwiki.platform:xwiki-platform-administration-ui" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "16.0.0-rc-1" + }, + { + "fixed": "16.3.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr" + }, + { + "type": "WEB", + "url": "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/xwiki/xwiki-platform" + }, + { + "type": "WEB", + "url": "https://jira.xwiki.org/browse/XWIKI-21207" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2024-12-12T19:20:56Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2024/12/GHSA-xx68-37v4-4596/GHSA-xx68-37v4-4596.json b/advisories/github-reviewed/2024/12/GHSA-xx68-37v4-4596/GHSA-xx68-37v4-4596.json index ec6046e419683..7d14b5651f08c 100644 --- a/advisories/github-reviewed/2024/12/GHSA-xx68-37v4-4596/GHSA-xx68-37v4-4596.json +++ b/advisories/github-reviewed/2024/12/GHSA-xx68-37v4-4596/GHSA-xx68-37v4-4596.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xx68-37v4-4596", - "modified": "2024-12-12T17:42:25Z", + "modified": "2024-12-12T19:18:58Z", "published": "2024-12-11T18:44:52Z", "aliases": [ "CVE-2024-55657" @@ -51,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/siyuan-note/siyuan" + }, + { + "type": "WEB", + "url": "https://pkg.go.dev/vuln/GO-2024-3327" } ], "database_specific": { diff --git a/advisories/unreviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json b/advisories/unreviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json deleted file mode 100644 index 4457a2749b17c..0000000000000 --- a/advisories/unreviewed/2024/12/GHSA-75mx-hw5q-pvx3/GHSA-75mx-hw5q-pvx3.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-75mx-hw5q-pvx3", - "modified": "2024-12-12T03:33:05Z", - "published": "2024-12-12T03:33:05Z", - "aliases": [ - "CVE-2024-55587" - ], - "details": "python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.", - "severity": [], - "affected": [], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55587" - }, - { - "type": "WEB", - "url": "https://github.com/smartfile/python-libarchive/issues/42" - }, - { - "type": "WEB", - "url": "https://github.com/smartfile/python-libarchive/pull/41" - }, - { - "type": "WEB", - "url": "https://github.com/smartfile/python-libarchive/blob/c7677411bfc4ab5701d343bc6ebd9e35c990e80e/libarchive/zip.py#L107" - } - ], - "database_specific": { - "cwe_ids": [], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-12-12T02:08:22Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json b/advisories/unreviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json deleted file mode 100644 index 59b306e144ca3..0000000000000 --- a/advisories/unreviewed/2024/12/GHSA-cxrx-q234-m22m/GHSA-cxrx-q234-m22m.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-cxrx-q234-m22m", - "modified": "2024-12-12T09:31:35Z", - "published": "2024-12-12T09:31:35Z", - "aliases": [ - "CVE-2024-12397" - ], - "details": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" - } - ], - "affected": [], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12397" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2024-12397" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-444" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-12-12T09:15:05Z" - } -} \ No newline at end of file diff --git a/advisories/unreviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json b/advisories/unreviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json deleted file mode 100644 index 755ce7f7ea5ab..0000000000000 --- a/advisories/unreviewed/2024/12/GHSA-ghw8-3xqw-hhcj/GHSA-ghw8-3xqw-hhcj.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-ghw8-3xqw-hhcj", - "modified": "2024-12-12T09:31:36Z", - "published": "2024-12-12T09:31:36Z", - "aliases": [ - "CVE-2024-12401" - ], - "details": "A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [], - "references": [ - { - "type": "WEB", - "url": "https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12401" - }, - { - "type": "WEB", - "url": "https://github.com/cert-manager/cert-manager/pull/7400" - }, - { - "type": "WEB", - "url": "https://github.com/cert-manager/cert-manager/pull/7401" - }, - { - "type": "WEB", - "url": "https://github.com/cert-manager/cert-manager/pull/7402" - }, - { - "type": "WEB", - "url": "https://github.com/cert-manager/cert-manager/pull/7403" - }, - { - "type": "WEB", - "url": "https://access.redhat.com/security/cve/CVE-2024-12401" - }, - { - "type": "WEB", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327929" - }, - { - "type": "WEB", - "url": "https://go.dev/issue/50116" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-20" - ], - "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2024-12-12T09:15:05Z" - } -} \ No newline at end of file